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The invention relates to a method of encoding a gRqahical message based on a 
key sequence as an encoded sequence of information units, and to a decryption device for 
reconstructing such a gr^hical message given the key sequence. 



Visual cryptography (M. Naor, A. Shamir: Visual Cryptology, Eurocrypt '94, 
Spiinger-Verlag LNCS Vol.950, Springer-Verlag, 1995, ppl-12) can briefly be described as 
follows. An image is spUt into two randomized parts, the image plus a randomization and the 
randomization itself. Either part contains no information on the original image because of the 
randomization. However, when both parts are physicaUy overlaid the original image is 
reconstructed. An example is given in Fig. 1: original image 100 is split into shares 110 and 
120, which when overlaid result in reconstructed image 130. 

If the two parts do not fit together, no information on the original image is 
revealed and a random image is produced. Therefore if two parties want to communicate 
using visual cryptography, they have to share the randomization. A basic implementation 
would be to give a receiving party a transparency containing the randomization. The sender 
would then use this randomization to randomize flie origmal message, and transmits flie 
randomized message to the receiver, on a transparency or by any other means. The receiver 
puts the two transparencies on top of each other and recovers the message. This scheme can 
be compared to a one-time pad. 

A more flexible implementation is obtained -when using two display screens, 
e.g. two LCD screens. A first screen displays the image plus randomization and a second 
screen displays the randomization itself. If the screens are put on top of each other, the 
reconstructed image appears. European patent application 02075527.8 (attorney docket 
PHNL020121) describes a device enable of reconstracting graphical messages produced 
using visual cryptogrs5)hy. This device makes use of the polarization rotating effect of liquid 
crystal cells in a liquid crystal display. 

Polarization filters in liquid crystal displays only let light through with a 
particular polarization. NormaUy a Uquid crystal cell rotates the polarization of the light that 
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passes through it over a certain angle. If a sufficient voltage is appUed to the cell, no rotation 
takes place. This is referred to as "activating" that cell. Light will not be visible if the total 
rotation of the polarization of the incoming light after passing through the two superimposed 
liquid crystal layers is perpendicular to the polarization direction of the second polarization 
filter. 

Afterreceivjng«rsequeB6e-(rfinformation4uuts,4)redEei^^ 

binary values, the device renders the sequence on the first Uquid crystal display by activating 
or not activating cells in the liquid crystal layer. No processing or decryption step is 
necessary before any displaying takes place; the information units are displayed as they are 
recdved. On a second display another pattern is displayed, which is generated based entirely 

on a key sequence. 

Reconstraction of the image is performed by superimposing the first and 
second displays in the correct aUgmnent, so that the user can see the reconstructed graphical 
message. The reconstruction is performed directly by the human eye and not by a device 
15 which might be compromised. This makes the use of visual cryptography to communicate 
seoret information more secure. 

The above-mentioned European patent application 02075527.8 describes that 
the polarization of the individual cells in the Uquid crystal layers is rotated over 0 or 90 
degrees in the case of transmissive displays, or over 45 degrees in the case of reflective 
20 displays. This means that the method and device in this application can only encode and 
reconstruct graphical messages in pure black and white. 



It is an object of the present invention to provide a method according to the 
25 preamble which maintains the resolution and brightness of the original graphical message, 
and which permits the encoding of graphical messages comprising pixels of arbitrary 
intensities such tiiat reconstruction maintains those intensities. 

This object is achieved according to the invention in a method comprising for 
each pixel of the graphical message, said pixel having a normaUzed intensity I: detemuning a 
30 total rotation value a r^resenting a rotation of a polarization of a cell m a Uquid crystal 

display resulting in a pixel with substantially the mtensity I, choosing an element en from the 
key sequence, the element representing an arbitrary rotation of a polarization of a cell in a 
Uquid crystal display, computing a first message value ai as a difference between the rotation 
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value a and the element ofe, and outputting an element of the encoded sequence based on the 
first message value 04. 

In principle it is possible to rotate the polarization of light in a hquid crystal 
display over an arbitrary angle within a certain range, say [0, 7r/2] or [0, ir], depending on the 
construction of the hquid crystal display and the appUed voltage over a Uquid crystal cell. It 
is possible to cause a pbcel to appear with a particular intensity depending on the chosen 
angle. However, varying the intensity is not described or suggested in the above-mentioned 
patent application. 

According to the present invention, rather than encoding pixels of the 
graphical message as binary values, as is done in the prior art, the intensity of the pixels in 
the message is now used in the encoding. The key sequence now essentially represents a 
series of arbitrarily chosen rotations rather than arbitrarily chosen black or white pixels. An 
element of the encoded sequence is computed based on the difference between a rotation 
indicated by an element of the key sequence and the total rotation for a particular pixel of ihe 
graphical message. 

If the key sequence is chosen carefully, it will not be possible to reconstruct 
the graphical message given only the encoded sequence (the "first share" in visual 
cryptography terminology). However, a recipient who has both the encoded sequence and the 
key sequence can display them on two respective Kquid crystal displays. The intensity of the 
pixels on the respective displays is controlled in accordance with the values indicated in the 
respective sequences. Superimposing the two displays causes the origuial message to ^ear 
in its original quality and with pixels having substantiaUy the same intensity or gray scale 
values. 

In an embodiment the method fiirther comprises computing an intermediate 
value X as x = arccos(|Va)|) and detennining the value a as either x or tt- x. Both x and t- x 
represent rotations that result in the desired intensity I. It is now possible to obtain different 
message values ai for two different pixels with the same normalized intensity even when the 
corresponding key elemait is the same for bofli pixels. 

In a further embodiment the normalized intensity I corresponds to an intensity 
of a first color component of the pixel in question, and the method fiirther comprises 
repeating the detennining, choosing and computing steps for a second rotation value 
corresponding to anormalized intensity of a second color component of said pixel to obtain a 
second message value, repeating the detemuning, choosing and computing steps for a third 
rotation value corresponding to a normalized intensity of a third color component of said 
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pixel to obtain a third message value, and outputting the element of the encoded sequence 
further based on ttie second and third message values. 

In color LCDs, one color pixel is built from three sub-pixels or color 
components. Each sub-pixel has a respective difiFerent color (red, green and blue) by. for 
5 example, applying a color filter. As with gray scales, the intensity of each of the colors can be 
cBmpg:mmviau^y1)yxhapging^e^espe6lave^otatiQBS-(aR.-a6-an an d thi s wa> 



pixels with any color can be produced. Thus a colored pixel can be represented as a set of 
three intensities or as a set of three rotations. By applying the determimng, choosmg and 
computing steps for all three intensities of apixel, a set with three message values is obtained 
10 for that pixel. The encoded sequence now contains information on the color of the pixel, 
which allows reconstruction of the graphical message in the original colors. 

In practice a pixel mtensity is not always taken arbitrarily from the range 
[0, 1], but instead is often limited to, say, 256 possible values. This means that the number of 
possible values for the message value and the corresponding element of the key sequence is 
15 Umited as well. If these values are not carefully chosen, fewer intensities are available for the 
reconstructed image than would be theoreticaUy possible. To increase the number of possible 
intensities, in an embodiment an arbitrarily chosen offset A is added to the message value, to 
the key sequence value (the element Ofe), or distributed over both. 

The invention fttrther advantageously provides for a compute program 
20 arranged for causmg a processor to execute the method of the invention. In this way, the 
invention can be carried out on any computer system. 

It is a further object of the invention to provide a decryption device according 
to the preamble, which is able to reconstruct graphical messages encoded according to the 
method of the invention while substantially maintaming the resolution and brightness of the 
25 original graphical message and the intensities of the pixels therein. 

This object is achieved according to the present invention in a device 
comprising receiving means for receivmg an encoded sequence of information units, a first 
Uquid crystal display arranged for displaying the sequence of information units by rotating 
the polarization of respective cells in a first Uquid crystal layer by an amount indicated by 
30 respective elements in the encoded sequence, a second Uquid crystal display, different from 
the first Uquid crystal display, arranged for rotating the polarization of respective cells in a 
second Uquid crystal layer by an amount indicated by respective elements in the key 
sequence, in which the first and second Uquid crystal display are arranged to be 
supraimposed on each other. 
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Various advantageous embodiments of the device are set out in the dependent 



claims. 



5 These and other aspects of the invention will be apparent from and elucidated 

with reference to the embodiments shown in the drawings, in which: 

Fig. 1 shows an original image, two shares obtained by visually encrypting the 
original image and a reconstructed image obtained by superimposing the two shares; 

Fig. 2 schematically shows a system comprising a server and several clients; 
10 Fig- 3 schematically shows the construction of a Uquid crystal display (LCD); 

Figs. 4 A-C graphically show the intensity of a pixel in an LCD as a function 
of a rotation a m various situations; 

Fig. 5 schematically illustrates a first embodiment of the encoding method 
performed by the server to visually encrypt a graphical message; 
15 Fig. 6 schematically illustrates a second embodiment of the encoding method; 

Figs. 7A-C schematically illustrate the operations of the client device; and 
Figs. 8 A-D illustrate various embodiments for the first and second liquid 
crystal displays used in the client device. 

Throughout the figures^ same reference numerals indicate similar or 
20 corresponding features. Some of the features indicated in the drawings are typically 

implemented in software, and as such represent software entities, such as software modules 
or objects. 



25 Fig. 2 schematically shows a system according to the invention, comprising a 

server 200 and several clients 201, 202, 203. While the clients 201-203 are embodied here as 
a laptop computer 201, a palmtop computer 202 and a mobile phone 203, they can in fact be 
realized as any kind of device, as long as the device is able to interactively communicate with 
the server 200 and is able to render graphical images on an LCD screen. The communication 

30 can take place over a wire, such as is the case with the laptop 201 , or wirelessly like with the 
palmtop computer 202 and llie mobile phone 203. A network such as the Intemet or a phone 
network could interconnect the server 200 and any of the cheats 201-203. 

The server 200 generates an image representing a message that needs to be 
communicated to the operator of the client 201 . The image will be encoded using visual 
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cryptography before transmission, as will be discussed below with reference to Fig. 5. The 
graphical message can of course comprise any type of information that one could want to 
transmit securely and privately to another party. For example, a customer's bank balance 
could be commimicated this way, as shown hi Fig. 2 as graphical message 220. Other 
examples include private e-mail messages, a new PIN code or password to be provided to the 

peratorofclientdevice-2^)l-: 

A particularly advantageous application is to securely allow composition of a 
message by the operator of cUent 201. In this embodiment, the server generates an image 221 
which r^resents a plurality of mput means such as keys on a keyboard. Each input means 
represents an mput word tiiat can be used m the message that will be composed by the user. 
Next to keys, the input means could also be checkboxes, selection lists, sliders or other 
elements typically used in user interfaces to fecilitate user input This application is discussed 

in more detail below. 

The server 200 encodes the image 220, 221 as a sequence of information units 
based on visual cryptography. This encoded sequence is then transmitted to one of the client 
devices 201-203. Such transmissions are straightforward to implement and will not be 
elaborated upon here. Note that it is not necessary to protect this transmission by e.g. 
encrypting the encoded sequence or setting up a secure auttienticated channel, before 
transmitting it. Because of the process used to choose the elements of the sequence, it is 
impossible for an eavesdropper to recover the unage 220, 221 by using only the encoded 
sequence. 

Also shown in Fig. 2 is a personal decryption device 210. This device 210 is 
personal to a user and should be guarded well, as it is to be used to decrypt visually encoded 
messages sent by the server 200 to any of the clients 201-203. Anyone who gains physical 
control over the decryption device 210 can read all visually encrypted messages intended for 
the user. To add some extra security, entering a password or Personal Identification Number 
(PIN) could be requhed upon activation of the decryption device 210. The device 210 could 
also be provided with a fingerprint reader, or be equipped to recognize a voice command 
uttered by its rightfiil owner. 

The decryption device 210 comprises a display 21 1 and a storage area 212. 
The display 21 1 is preferably realized as an LCD screen with nematic liquid crystals. 
Although normally such a display 21 1 would have a polarization filter on both sides of the 
liquid CTystal layer, in this embodiment the display 21 1 only has one polarization filter (see 
also Fig. 8B). The LCD screen of the client 201 that receives the visually encrypted message 
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should then have a portion oftiie .topmost polarization filter removed. This portion should be 
large enough to aUow the display 21 1 to be superimposed upon it. Alternatively, the LCD 
screen of the cUent 201 can be provided with a (preferably small) separate display on which 
the display 211 is to be superimposed. In another embodiment (shown below with reference 
to Fig. 8 A) the display 21 1 has no polarization filter. 

The storage area 212 comprises at least a key sequence to be used in 
decrypting visually encrypted images. Elements of the key sequence represent arbitrary 
rotations of the polarization of cells in the display 211. The length of the key sequence stored 
in the storage area 212 should be long enough to accommodate a large number of decryption 
operations. When decrypting visually encrypted images, one element is necessary for each 
pixel of the original input image. 

After every deo^ption operation. Hie key elements used are jn-ef^^ly 
discarded or marked as used. In this way every decryption operation involves the use of a 
unique subsection of the key sequence. When all key elements have been used, the key 
sequence in the storage area 212 must be replaced. This can be realized by e.g. asking the 
owner of the decryption device 210 to replace his decryption device 210 with anew 
specimen, or to visit a secure location Uke a bank where it is loaded with a new key sequence. 

Alternatively, when a key sequence has been used, a ciyptogn^hic hash 
function or symmetric encryption scheme can be applied to the key sequence. The output of 
the hash function or encryption scheme is then used as the new key sequence. In this way a 
series of key sequences can be generated of any length, without having to store aU of the key 
sequences in the personal decryption device 210. Of course, if even one key sequence in Ihe 
series becomes known to an attacker, the attacker can also reconstruct all future key 
sequences. 

Another, more secure alternative is to employ a stream cipher (e.g. RC4 or 
SEAL) as a key generator. Stream ciphers encrypt plamtext one bit (or sometimes byte) at a 
time. The stream of plamtext bits are XORed with the output of a keystream generator which 
produces a pseudo-random stream of bits based on a seed value, which could be stored in the 
memory 212. This seed value is the key for the stream cipher. The stream of bits is used to 
derive arbitrary rotations which make up the key sequence. 

The decryption device 210 also needs to be equipped with hardware and/or 
software modules (not shown) enable of performing the above cryptographic operations. 
This could be realized e.g. by adding a processor and a memory comprising the software. 



5 
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The decryption device 210 is preferably embodied as a unit physically 
separate, or at least separable, from the cUent device 201-203. No electrical, optical or other 
conimimication paths between the decryption device 210 and the cUent should exist. As the 
patterns and the key sequence are provided in digital (electronic) form, any such 
communication paths could potentially be abused by an attacker to obtain a portion of the key 
-sequeaeer^tiiout-such^aths, a cnmpiomised cUent device cannot obtain information from 



the decryption device 210 in any way. In this way, it is achieved tiiat the user does not have 

to trust the security of the client 201 . 

In order to understand flie present invention's use of Uquid crystal displays for 
10 visual cryptography, first consider the construction of a common transmissive Hquid crystal 
display (LCD) in abaoklight setting, as shown in Fig. 3. 

A Ught source 301. typicaUy reaUzed as a backlight positioned behind the 
LCD screen, projects Ught waves with all possible polarizations towards a polarization filter 
302. Only Ught waves with one particular polarization pass through this polarization filter 
15 302. The Uquid crystal cells 303, 304 normally rotate the polarization of the light waves 

passing through them over a certain angle within a certain range, usually [0, 7i/2] or [0, 7i/4], 
depending on the conslxuction of the Uquid crystal display and tiie voltage appUed to the ceUs 
303, 304. 

The cells 303, 304 in this embodiment are twisted nematic liquid crystals, 
20 which is tiie most common type. Other types could of course be used instead. Also, rather 
than using a backUght, a reflective or transflective liquid crystal display could be used. 

If a particular voltage is appUed to a Uquid crystal cell, the inner molecular 
structure of the cell changes in such a way that the polarization of passing Ught is altered by a 
particular amount In Fig. 3, a voltage has been ^Ued to liquid crystal cell 304, but not to 
25 liquid crystal ceU 303. To indicate tiiat Uquid crystal ceU 303 rotates the polarization of 
passing Ught, it has been marked with the letter "R". For the sake of clarity, the rotation 
effected by Uquid crystal ceU 303 is shown in Fig. 3 as 7t/2 or 90 degrees, altiiough the 
rotation can in this case be any amount between 0 and n/l. 

The Ught waves that passed through liquid crystal cells 303, 304 subsequently 
30 cross a second polarization filter 305. This polarization filter 305 acts Uke polarization filter 
302 in that it only allows Ught waves with one particular polarization to pass through. 
Because the polarization of flie Ught that passed through Uquid crystal ceU 303 had been 
rotated, this Ught is blocked by the polarization filter 305, and so the output will appear as a 
black pixel 306. The polarization of the U^t that passed through activated Uquid crystal ceU 
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304 is unaltered, and so it passes through polarization filter 305 and appears as a white pixel 
307. To produce gray scale output, the polarization is rotated in this example somewhere 
between 0 and 7t/2. This means that only some of the Ught is let through by the polarization 
filter 305, which results in an output pixel with a lower intensity. 

Alternatively, the second polarization filter 305 could be chosen to let only 
light through that has been rotated over 7i/2 by the Uquid crystal cell 303. The ou^ut of the 
hquid crystal display will then be exactly opposite to what has been described above. 
However, tins is a mere design variation. 

The normalized intenaty / of the output pixel can be expressed as a function 
of the rotation effected by the liquid crystal cell. One such function, graphically shown in 
Fig. 4A, is / = cos^(a). 

For performing visual cryptography, rather than a single layer of Uquid 
crystals, there are now two layers of crystals between the polarization filters 302 and 305. 
Voltages can be £q>plied to the cells in each layer sq>arately to active these cells. The 
intensity of the output pixel now can be expressed as a function of the rotations ejBected by 
the cells in the two layers. If the cell in the first layer rotates by an amount ai and the cell in 
the second layer rotates by an amount aj, then the above function becomes: 

J = cos^{ai + a2)' 

As explained with reference to Fig. 2, the personal decryption device 210 
contains a key sequence. An element of tiiis sequence represents the rotation aa of the 
polarization of a particular corresponding cell in the display 212. This rotation az is chosen 
(pseudo-)randomly &om a certain range. Hie rotation ai is then chosen such that the intensity 
Ir of the reconstructed pixel is substantially equal to the intensity / of tiie pixel in the 
graphical message 220, 221. 

Liquid crystal displays can rotate the polarization direction of the polarized 
light which emerges fi-om the polarizer. Liquid crystals are molecules which have the 
property that the refiractive index n is different along tiie molecular axis and at ri^t angles to 
this. The difference in refi^tive index (/^ is called the birefringence. When polarized light 
passes through the Uquid crystal, the birefringence causes the direction of polarization to 
change. There are many configurations of Uquid crystals which are known firom the prior art 
in which the preferred rotation of 7t can be reaUzed. See for instance pp. 66-67 of S-T. Wu 
and D-K. Yang, Reflective liquid crystal displays. John Wiley and Sons Ltd., ISBN 0-471- 
49611-1. 
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In the most simple configuration of a nematic liquid arystal whose molecules 
only rotate in one direction, the rotation a (in radians) is given by 



-5- 



where d is the thickness of the cell and X the wavelength of the light. By choosing for 
example th? g^r '^'^ >>irftfrirtgence of the liq uid crystal properly, it is possible to 



constmct a cell with the required preferred rotation of it. 

A preferred method to create an encoded sequence from the graphical message 
220 or 221 given a key sequence is illustrated in Fig. 5. First, the graphical message 220 is 
generated in step 501 . This message 220 can simply be a gr^hical representation of a textual 

10 message, but might also comprise images. 

Next, steps 5 1 1-5 15 are performed for every pixel in the graphical message 
220. Decision step 502 detennines whether every pixel has been processed in this way, and if 
so, branches to step 590 in which the encoded sequence is transmitted to the client device 
201. The encoded sequence may be compressed before transmitting in step 590 to save 

15 bandwidth. 

Each pixel has an intensity /. It is assumed that this intensity / is normalized to 
a range [0, 1]. In step 51 1, the server 200 determines a total rotation value a representing a 
rotation of a polarization of a cell in a Uquid crystal display that results m a pixel with 
substantiaUy the intensity/. This can be done e.g. by computing a= arccos(|ViD. Preferably 
20 the server 200 first computes an intermediate value x as x = arccosdVCDI) and selects the 
value a as either x or ir- x. This choice between x and ir- s can be made randomly. 

In step 512 the server chooses an element oft &om tiie key sequence. As the 
reader will recall, this same element is present in or can be computed by tiie personal 
decryption device 210. The personal decryption device 210 presents apixel on the display 
25 211 by rotating the polarization of the corresponding cells in the liquid crystal layer in the 
display 211 by an amount indicated by tiie element oti. Since it is not possible (or desired) to 
communicate the value of o«2 to the personal decryption device 210, the server 200 must keep 
track of which element to use next. The element thus represents an arbitrary rotation of a 
polarization of a cell in a liquid crystal display. 
30 Usmg the computed total rotation value a and the element ofe, the server 

computes oii as a difference between these values in step 513. If this difference is negative, a 
value of Tc can be added to obtain a positive rotation . 
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The rotations used in the key sequence should be chosen from a range of 
size It. This has the advantage that an eavesdropper who obtains ai cannot learn anything 
about (X2 or Ir. If a2 is chosen from a smaller range, flae Probability Density Function (PDF) 
of /r depends on ai, or, P( | ai ) ^6 P( Ir ) and this reveals some information on Ir. 
5 In step SIS an element of the encoded sequence is output indicating the 

computed value 04. This value indicates flie rotation necessary, together with the arbitrary 
rotation indicated by a2, to obtain the original intensity/. There are of comse many ways in 
which this element can be output. It can be e.g. simply a numeric value representing ol\ itself, 
or a value which the client device 201 can translate into the correct rotation. For instance, a 
1 0 set of discrete values for amounts of rotation can be assigned respective identifiers, and those 
identifiers can then be output in the encoded sequence. 

If the properties of the LCD screen in the client device 201 are known to the 
server 200, then it becomes possible to create the encoded sequence as an image with pixels 
having respective intensities, in which the respective intensities correspond to the computed. 
15 rotations. Conventional LCD screens are already arranged to display such images by rotating 
the polarity of the cells in the liquid crystal layer accordingly. This has the advantage that the 
client device 201 needs no hardware modifications and can display the image using standard 
graphics rendering software. 

A possible algoritimi for computing a\ and outputting a corresponding element 
20 of the encoded sequence can be summarized as follows: 

1. Compute X = arccos|Vlj) 

2. Randomly choose a as either x or x- x 

3. Pick an element from the key sequence 

4. Compute ai as the difference between a and % 

25 S. If (Xi < 0 then output as element of the encoded sequ^ce ai + tc 
6. Otherwise, output a\ 

The last two steps can be combined into one by outputting as element of the encoded 
sequence a\ modulo tc. 

In the above it was assumed that the rotations Oi and Cfe can take any value in 
30 the range [0, tc]. In practice a pixel intensity is not always taken arbitrarily from the range 

[0, 1], but instead is often limited to, say, 2S6 possible values. This means that the number of 
possible values for the message value and the corresponding element of the key sequence is 
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limited as well. With such a limited mmiber of values, the security of the scheme may be 
reduced and the possible values of ai and must be chosen so as to obtain a secure scheme. 

A possible choice for k possible values is au= i^i/fc with is {0,. . .,A:-1 }and a2j= 
yjdk with j e (0,. .,Jc-\}. This choice will lead to less than k possible intensities as is illustrated 
5 in Fig. 4B which shows the graph of tiie intensity as a function of a. For six discrete values 

aie intensities are mdicated as'^uts~oTtrthisrjgraphrDuBrtar^ 

function, there are only four possible intaasities as indicated by the dotted lines. 

In order to maximize the number of possible intensities, an arbitrarily diosen 
oflfeet A can be added to the element Cfe. Fig. 4C illustrates the effect of introducing an of&et 
10 A = 7i/24. There are now six different possible intensities, as illustrated by the six dotted lines 
in the graph. The possible values of ai and oa are as follows: 
ay =m/k with i e {0,. . .,k - 1) 
cc2j = yVr/Ar + Awith J e {0,...*-l}andA e {0,7r/2k). 

It is easy to see that, due to the ir-periodicity of cos^(a), it holds that for any 
ie {0, .... k-1} there are A; possible intensities I. 
15 Ii =cos(/;r/A: + A)with / 6 {0,...fc-l}. 

By observing the contents of the first share, an adversary gets no information 
on the intensity of a pixel in the original graphical message. Hie offeet A can of course also 
be added to the message value ai, or be distributed over both. 

One way of computing values for i aadj necessary to compute the message 
20 value ai and outputting a corresponding element of tibie encoded sequence in the case that 
only a limited set of discrete values is available can be summarized as follows: 



1. Compute I e (0, .... k^l} such that 



/-cos^ 



is minimal; 



2. Ul-J<0 then output i = l-J + k 

3. OthCTwise, output / = / -J 

25 In color liquid crystal displays, one color pixel is built fi-om three sub-pixels or 

color components. Bach sub-pixel has a respective different color (red, green and blue) by 
applying a color filter. An additional fourth subpixel, having a neutral (grayscale) color, can 
be provided for better control of the brightness of the output. Of course cyan, magenta and 
yeUow can easily be substituted for red, green and blue. Other ways to achieve color pixels, 

30 for example using only two color components, are also possible. 
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As with gray scales, the intensity of each of these color components can be 
changed individually by changing the respective rotations (aR, oo and as) and in this way, 
pixels of any color can be produced. Thus a pixel of any arbitrary color can be represented as 
a set of three intensities or as a set of three rotations. This allows the application of ihe 
inventive method for graphical messages in arbitrary colors, rather than m arbitrary 
grayscales as was the case in the embodiment of Fig. 5. 

In Fig. 6, the method of Fig. 5 is extended with respective determining steps 
521, 531, choosing steps 522, 532, computing steps 523, 533, delta adding steps 524, 534 and 
output steps 525, 535 for aU three intensities of a pixel. The skiUed reader will understand 
that the steps 521-525 and 531-535 are in essence identical to the steps 511-515 as set out 
previously. They sinq>ly operate on the individual intensities of the green and blue sub- 
pixels. The steps 51 1-515 now operate on the individual intensity of the red sub-pixel. 

The result is a set with three rotations aiR, aio and aiB (for red, green and 
blue) is obtained for that pixel. The encoded sequence now comprises such a set for each 
pixel of the colored graphical message, and so contains information on the color of the pixel, 
which allows reconstruction of the gr^hical message in the origmal colors. 

Figs. 7A-C schematically illustrate the operation of the client device 201. The 
client device 201 is in this embodiment connected to a network such as the Internet using a 
mobile phone 702, as is generally known in the art. Using a data connection established using 
the mobile phone 702, the cUent device 201 can transmit data to and receive data from the 
servw 200. 

In Fig. 7A, the device 201 receives the encoded sequence from the server 200 
which was produced as set out above with reference to Fig. 5 or 6, and displays the elements 
of the sequence as respective pixels on a portion of Uquid crystal display 701. This portion 
can be an area of a relatively large multi-purpose display, or the entirety of a relatively smaU 
dedicated display. The encoded sequence is displayed by rotating the polarization of 
respective cells in tiie liquid crystal layer in LCD 701 by an amount indicated by respective 
elem^ts in the encoded sequence. 

The sequence could for instance look something like 
{0, 7C/4, 371/4, 7C/2, 7C/2, 7i/3, . . . } , i.e. directly indicating the desired rotations of the cells to 
produce pixels with a particular intensity. Alternatively, if particular intensities or rotations 
are assigned identifiers beforehand, then the sequence only needs to contain the ^propriate 
identifiers. This typically reduces the length of the encoded sequence. 
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Observe that no processing or decrypting step is necessary in the device 201 
before any displaying takes place; the bit sequence is displayed as it is received. It may be 
advantageous to display the pixels in a comer of the display 701, as wiU become apparent 
below. If the display 701 does not comprise a topmost polarization filter, the displayed black 
and white pixels will not become directly visible to a usct. 

Upon r^^ ngni^ing that a visuallv encrypted image has been sent to the cUent 



device 201. the user in Fig. 7B takes his personal decryption device 210 and activates it. This 
causes the decryption device 210 to output a graphical r^resentation in dependence on the 
key sequence stored in storage area 212. 

The decryption device 210 must be progranmied in advance with the 
dimensions of the image that was generated by the server 200. Of course, an input means that 
allows the user to enter these dimensions for each image separately can also be provided, but 
this makes the decryption device 210 more complex and more expensive. 

The decryption device 210 rotates the polarization of respective ceUs in the 
Uquid crystal layer in the LCD 21 1 by an amount indicated by respective elements in the key 
sequence, similar to how the encoded sequence serves as a basis for rotation in the cUent 
device 201. 

hi Fig. 7C, the user superimposes the personal decryption device 210 upon the 
pixels displayed on display 701. To faciUtate such superhnposing, the edge of the display 701 
can be provided with hooks or clanq)s m a comer (not shown), by which the personal 
decryption device 210 can be festened to a particular position on top of the display 701 . This 
way. it is very easy for the user to properly superimpose the personal decryption device 201 
upon the patterns on the display 701 if these patterns are displayed in the corresponding 

position on tiiie display 701 . 

Because both the decryption device 210 and the cUent device 201 each 
effectively display one share of a visually encrypted image, the user can now observe the 
reconstructed image, hi the example of Fig. 7C, the reconstructed message is the textual 
message "A!" in black lettering with a grayscale bar below. 

Because neither the chent 201 nor the personal decryption device 210 at any 
time has sufficient information to reconstruct the image itself, the contents of the hnage 220 
cannot be recovered by a malicious application nmning on either device. Further, smce the 
personal decryption device 210 does not have any communication means, it is impossible to 
obtain the key sequence from the storage area 512 without gaining physical access to the 
deraryption device 210. 
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One particularly useful application is to securely allow composition of a 
message by the operator of client 201, In this embodiment, the servCT generates the image 
221 so that it represents a plurality of input means such as keys on a keyboard. Each input 
means represents an input word that can be used in the message that will be composed by the 
5 user. Next to keys, the input means could also be checkboxes, selection lists, sliders or other 
elements typically used in user interfaces to facilitate user input. 

The server 200 then produces an encoded sequence for the image 221 and 
sends the sequence to the client device 201. The user positions his decryption device 210 
above the area in which the bit sequence is displayed, activates the decryption device 210 and 

10 then is able to view the input means. The user then composes the message by selecting keys 
or other input means rendered as an image on the display of the client device 201 . Such keys 
could be visually rendered as keys representing different alphanumerical characters, or as 
buttons representing choices like •Yes*, •No', •More mformation' and so on. Other ways to 
visually represent input means are well known in the art. 

15 Selecting the input means is preferably done by selecting a particular set of 

coordinates on the display of the client device 201. Preferably, the user inputs the set of 
coordinates by applying pressure to a particular spot of the display, the set of coordinates 
corresponding to the particular spot. Because the image representing the input means can 
only be seen when the decryption device 210 is superimposed upon the client 201, the user is 

20 advised to apply pressure to the display 21 1 of the decryption device 210. This pressure will 
be transferred to the display of the client device201 , which when equipped witihi a touch- 
sensitive screen can register the spot to which pressure was applied, and translate this to a set 
of coordinates. Of course, other input devices such as a mouse, a graphics tablet or even a 
keyboard can also be used. 

25 By itself it is known to allow composition of a message through visually 

rendered mput means on a display, see e.g. US-B-6209102. This US patent, however, does 
not protect the composed message against interception by an eavesdropper. It also fails to 
teach how such an image representing input means can securely be transmitted to the client 
device 201. This means that an eavesdropper can leam the layout of the input means 

30 represented on the image, and leam from the feedback sent by the client device 201 to the 
server 200 which input means were selected. 

It is observed that different input means may, but need not necessarily, 
represent different input words. Providing multiple input means representing the same input 
word has the advantage that a sequence of inputs made by the user can appear to be random 
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even when the sequence contains repetitions. As used here, the term "word" can mean single 
alphanumerical characters, but also texts like *Yes*, *No' and so on, as weU as o1h.&c 
linguistic or symbolic elements. 

Having received one or more sets of coordinates, the client device 201 
5 transmits these sets of coordinates to the server 200. It is observed that eavesdropping 

software-seerefly4nstalled-Qa-the-clientdevice 201 r^ntiot 1earajmy.passwords or sensitive 

information entered in this fashion. At the most, such software would be able to learn the 
particular sets of coordinates entered in this particular session. These sets could then be used 
to impersonate the user in a future session. 
10 To prevent this type of so-called 'replay' attack, the server 200 should 

randomize the placement of the input means on the image 221 every time. If the 
eavesdropping software then retransmits the sets of coordmates it learned, in order to 
impersonate the user in a subsequent session, the server 200 will not authenticate the 
impersonator, as the sets of coordinates do not correspond to the correct password or other 
15 authentication code. In fact, these sets of coordinates need not even correspond to the 
location of input means on the image generated in the subsequait session. 

When the server 200 receives the sets of coordinates, it translates each set of 
coordinates to a particular input means represented on the image. Since the server 200 
composed this image, tianslating a set of coordinates to an input means in the server 200 is 
20 straightforward. Finally, the message composed by the user is constructed as the input words 
represented by the particular input means to which the sets of coordinates were translated. 
See e.g. the above-mentioned US-B-6209102 for more information. 

While the message composed in the above feshion can of course contain any 
kind of information, preferably this message contains an authentication code such as a PIN 
25 code or a password. The server 200 can now check the PIN code or password to verify the 
credentials of the user, and grant access, perform one or more privileged operations or 
perform some other action for which these credentials are necessary. The server 200 could 
also signal anotiier system upon a successful verification of the credentials. 

Figs. 8A-8D illustrate various embodiments for the liquid crystal displays 701 
30 and 21 1 . Ordinary liquid crystal displays are constructed as shown in Fig. 3, with two 

polarization layers and a layer witii liquid crystals in between. However, in the invention 
tiiere are two liquid crystal layers LI and L2 superimposed on each other, witiiout 
interv^iing polarization layers. 
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In Fig. 8A, the Hquid crystal display 701 comprises first polarization layer 
302, Uquid crystal layer LI and second polarization layer 305. A space has been left open 
between Uquid raystal layer LI and second polarization layer 305, which is large enough to 
accommodate the insertion of the Uquid crystal display 21 1 . This may require an opening in 
the cUent 201 in which the Uquid crystal display 701 is instaUed, so that the user can easily 
perform the insertion. 

The opting or slot can be either between the first polarization layer 302 and 
the Uquid crystal layer LI, or between the Uquid crystal layer LI and the second polarization 
layer 305 (the latter is shown in Fig. 8A). Note that the user would view the output &om the 
right side of Fig. 8A (as the Ught source would be on the left, see also Fig. 3). In a preferred 
embodiment the slot wiU be situated on the non-viewing side as this allows easy use of a 
touch screen in the cUent device 201 . 

In Fig. 8B, the construction of the Uquid crystal display 701 is conventional, 
but a portion of the second polarization layer 305 has been omitted in the Uquid crystal 
display 701. This portion is chosen to be large enough to accommodate superposition of the 
Uquid crystal display 21 1 on the underlying liquid crystal layer LI . 

Tn the construction of the Uquid crystal display 21 1 a portion of one of the 
polarization layers has been omitted as weU. Preferably this portion is of equal dimensions as 
the portion omitted in the Uquid crystal display 701. This way, when superimposing the 
Uquid crystal display 21 1 on the Uquid crystal display 701, the Uquid crystal layers H and L2 
are directly put on top of each other, without intervening polarization layers. 

In Fig. 8C the Uquid crystal display 701 conqwises a scattering minor 802, 
rather than the first polarization filter 302. The second liquid crystal display 211 can now be 
inserted either between the first Uquid crystal layer LI and the polarization filter 305 or 
between the first Uquid crystal layer LI and the scattering minor 802. In this embodiment no 
Ught source 301 is necessary, as incoming ambient light now serves as Ught source. This 
makes the display 701 in this embodiment a reflective liquid crystal display. 

In this embodiment, the Uquid crystal ceUs 303, 304 should rotate the 
incoming Ught at an angle half that of the transmissive case, as the Ught passes twice through 
the cells because of the mirror 802. 

hi Fig. 8D a transflective display 701 is used, comprising both the mirror 802 
and the polarization filter 302. The mirror 802 is now reaUzed as a mesh or grid, so that Ught 
coming &cm the backUght 301 (not shown) can pass through the mirror 802. Ihcoming 
ambient Ught can stiU be reflected by the mirror 802. This way, the user can activate the 
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backlight if the incoming ambient light is insufficient to produce a clear image, or deactivate 
the backlight to save power. This is especially useM when the display 701 is comprised in a 
standalone device with a battery, like a mobile telephone. 

It should be noted that the above-mentioned embodiments illustrate rather than 
5 limit the invention, and that those skilled ia the art will be able to design many alternative 
prnhnHi'mRnts without departing from the scope of the appended claims. For instance, the 
decryption device 210 can be incorporated in the lid of the client device 201, which makes 
properly positioning the display 21 1 over the display 701 trivial. Of course there should be no 
electronic connection between the Ud and the cUent device 201, other than any mechanical 
1 0 connections necessary to open and/or close the lid. 

The invention can be used in any kind of device in which a secure 
communication from a server to a client and/or vice versa is necessary. Client devices can be 
embodied as personal computes, laptops, mobile phones, palmtop conq)uters, automated 
teller machines, public Intranet access temainals, or in fact any client device that is not 
1 5 completely trusted by its user to not contain any malidous software or hardware. 

In the claims, any referraice signs placed between parentheses shall not be 
construed as Umiting the claun. The word "comprising" does not exclude the presence of 
elements or steps other than those listed in a claim. The word "a" or "an" preceding an 
element does not exclude the presence of a plurality of such elements. 
20 The invention can be implemented by means of hardware comprising several 

distinct elemraits, and by means of a suitably programmed computer. In the device claim 
enumerating several means, several of these means can be embodied by one and the same 
item of hardware. The mere fact that certain measures are recited in mutually different 
dependent claims does not indicate that a combination of these measures cannot be used to 
25 advantage. 
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CLAIMS: . ' 



1- A method of encoding a graphical message based on a key sequence as an 
encoded sequence of infomiation units, comprising for each pixel of the graphical message, 
said pixel having a normalized intensity I: 

detOTnining a total rotation value a representing a rotation of a polarization of 
5 a cell in a liquid crystal display resulting in a pixel with substantially the intensity I, 

choosing an elCTient from the key sequence, the element representing an 
arbitrary rotation of a polarization of a cell in a liquid crystal display, 

computing a first message value ai as a diflEerence between the rotation value 
a and the element c^, and 

10 outputting an element of flie encoded sequence based on the first message 

value ocu 

2- Th® mefliod of claim 1 , further comprising computing an intermediate value x 
as X == arccos(|V® I) and determining the value a as either x or tt- x. 

15 

3- The method of claim 1, in which the normalized intensity I coixesponds to an 
intensity of a first color component of the pixel in question, and further comprising 

repeating the determining, choosing and computing steps for a second rotation 
value corresponding to a normalized intensity of a second color component of said pixel to 
20 obtain a second message value, 

repeating the determining, choosing and computing steps for a diird rotation 
value correspondmg to a normalized intensity of a third color component of said pixel to 
obtain a third message value, and 

outputting the element of the encoded sequence further based on the second 
25 and third message values. 



4. The method of claim 1, in which the intensity I is an element of a finite set 

with discrete values, the method further comprising choosing an offset A and adding the 
offset A to at least one of: the first message value ai and the element ofe. 
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5. A computer program product arranged for causing a processor to execute the 
method of claim 1. 

6. A device for reconstructing a graphical message based on a key sequence, 

eoD^rismg — 

receiving means for receiving an encoded sequence of information xmits, 
a first liquid crystal display arranged for displaying the sequence of 
information units by rotating the polarization of respective cells in a first liquid crystal layer 
by an amoimt indicated by respective elements in the encoded sequence, 

a second liquid crystal display, different firom the first liquid crystal display, 
arranged for rotating the polarization of respective cells in a second liquid crystal layer by an 
amount indicated by respective elements m the key sequence, in which the first and second 
liquid crystal display are arranged to be superimposed on each other. 

7. The device as claimed in claim 6, in which the first Uquid crystal display 
comprises a reflective Uquid crystal display. 

8. The device as claimed in claim 6, in which the second liquid crystal display is 
embodied in a unit physically separable fix)m the first liquid crystal display, and provided 
with a memory for storing the key sequence. 

9. The device of claim 6, comprismg means for receiving input representing a set 
of coordinates firom a user, and means for transmitting the received input to a server. 

10. The device of claim 9, in which the input is received as pressure on a 
particular spot of the first liquid crystal display, the set of coordinates corresponding to the 
particular spot. 
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ABSTRACT: 



A method of encoding a gr^hical message (220, 221) based on a key 
sequence as an encoded sequence of infonnation units. For each pixel of the message, said 
pixel having a nonnalized intensity I, a total rotation a which results in a Uquid crystal 
display in a pixel with substantially the intensity I is detemiined. The key sequence contains 

5 arbitrary rotations. The difference between the total rotation Of and a corresponding rotation i 
the key sequence is output as an element of the encoded sequence. A device (201) presents 
pixels with rotations indicated by the encoded sequence on a first display (701) and pixels 
with rotations indicated by the key sequence on a second display (21 1). Superimposing the 
two displays reveals the graphical message. The method can be repeated for red, green and 

0 blue intensities of color pixels, allowing colored graphical messages to be encoded and 
reconstructed. 
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